How To for Red Hat Linux 7.1 and SASL

Hello everyone,
I've been testing the How-To document I've written for Red Hat Linux 7.1.
The goal is to use SASL to authenticate the replication user account, and
permit replication traffic to work in plain text.
I already have this configuration working on FreeBSD 4.3 - for details, see
http://home.att.net/~ldap-sasl.howto/freebsd-howto.html . However, the Red
Hat Linux 7.1 instructions aren't complete yet as I'm stuck on an issue.
Please refer to the following documents with this email:
http://home.att.net/~ldap-sasl.howto/primary.slapd.conf - master slapd
configuration file
http://home.att.net/~ldap-sasl.howto/sasl.slapd.conf -
/usr/lib/sasl/slapd.conf
http://home.att.net/~ldap-sasl.howto/backup.slapd.conf - backup slapd
configuration file
linux-howto.html - the DRAFT how-to document
debug.txt - output of /usr/local/libexex/slurpd -d 255
The debug.txt file shows the entire output from slurpd, running on the
primary LDAP server. This server can and will replicate successfully via
SASL with a FreeBSD 4.3 server. However, it cannot yet replicate with the
Red Hat Linux 7.1 server. FYI, the primary LDAP server is running Red Hat
Linux 7.1.
The error that concerns me is on line 270 of debug.txt:
Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown error
This does not kick out a reject file as with other slurpd errors.
If you would like to have a How To document for installing OpenLDAP with
SASL on Red Hat Linux, please test the configuration described in
linux-howto.html. I would appreciate it if someone would assist me in
troubleshooting this difficult error. Credit will be given to those who
assist.
Thank you,
Kayne McGladrey
kaymcg@safeco.com
Kayne McGladrey, MCSE
kaymcg@safeco.com
(425)376-5926

How To: Configure SASL Replication for OpenLDAP 2.0.11 on Red Hat
7.1

Kayne McGladreyOctober 1st, 2001

Summary: This how to document describes how to install and
configure OpenLDAP on Red Hat Linux 7.1. The specific objective is to
secure the replication user account via DIGEST-MD5 authentication
implemented in the SASL library. This guide does NOT involve use of
Kerberos, Cyrus-IMAP, or SSL. Under the model described in this how
to, the user name and password of the replication account will be
passed in an encrypted form. Actual replication traffic will be sent
in plain-text. This is a suitable model for using behind a corporate
firewall, where replication traffic will not expose sensitive data.
If you need to secure your replication traffic (i.e., in the case of
authenticating user logins via LDAP), this guide will not help you.

This document has been tested but is by no means complete. If you
have comments or questions, email me at kaymcg@safeco.com
and I may be able to help. Alternatively, join the OpenLDAP mailing
list and post your question there. This how to would not be possible
without the help of several individuals from that mailing list.
Thanks to

This how to assumes that you have a working copy of Red Hat Linux
on two servers. The installation and configuration of Red Hat Linux
7.1 is outside the scope of this document. As a side note, I'm
successfully running replication between both Red Hat 7.1 and FreeBSD
4.3.

Determing Which Packages to Install

Type su
root and press Enter. Type the root password and press Enter.

By default, the Server installation
of Red Hat Linux 7.1 installs many of the RPMS required. To
determine which RPMS to install, type:rpm
-qa | grep cyrusrpm -qa | grep db3rpm -qa | grep opensshYou
must have both the binary package and the devel package for each of
these commands. Skip those steps for packages that are already
installed. You should have to download openssl-devel
at a minimum.

If you don't have the Red Hat
CDROMs, you'll have to download the files. You should be able to
find the most recent version of each file at rpmfind.net.
Switch the relevant path statements from /mnt/cdrom
to where you downloaded the files, i.e., /home/user/incoming.

Installing OpenSSL

Type umount
/cdrom and press Enter. The CD-ROM
should now be put aside.

Type rpm -ivh
/home/user/incoming/openssl-devel-2.5.2p2-5.rpm
and press Enter. (Replace /home/user/incoming
with the path to the copy of openssl-devel
you downloaded.

Installing OpenLDAP

Download the stable version of
OpenLDAP from OpenLDAP.org.
This document describes installation for 2.0.11 and has not been
tested on more recent versions. If you install on a new version,
please write
and let me know if these instructions still apply.

If the
server you are configuring is a backup LDAP Server:1. Type
saslpasswd -c
REPL.LDAP.DOMAIN.COM and press
Enter. When prompted, enter the password for REPL.LDAP.DOMAIN.COM
and press Enter. Replace "DOMAIN" with your own domain
name.2. Type
sasldblistusers and press Enter.
The output should be as follows:user:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: DIGEST-MD5user:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: PLAINuser:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: CRAM-MD5(where
server
should be equal to the server name).3. Type cp
/home/incoming/backup.slapd.conf /usr/local/etc/openldap/slapd.conf
and press Enter.

Using
the text editor of your choice, edit
/user/local/etc/openldap/slapd.conf.
The file is commented and has instructions on how to complete each
of the relevant lines. This mostly consists of replacing domain
with your domain name. This particular configuration file uses a
flat namespace and is tuned to suit the needs of Microsoft Outlook
and Netscape Communicator 4.x. Your mileage may vary.

Testing it out

Add some data to your database
using either slapadd or
ldapadd. Make certain to add
the data to both the primary and the backup server.

If slapd
is not started already on the primary server, type
/usr/local/libexec/slapd and
press Enter.

If slapd
is not started already on the backup server, type
/usr/local/libexec/slapd and
press Enter.

Using ldapmodify,
gq, or some other tool
modify one of the records on the primary ldap server.

Eventually, ldap_msgfree
will appear on screen. Scroll back through the output and you'll
see that the change was applied to your backup server. Press CTRL-C
to quit slurpd.

Congratulations! slurpd
is now working correctly. To start slurpd
again (and without debugging options), type
/usr/local/libexec/slurpd
and press Enter.

What to do if it doesn't work

Don't worry. This guide uses a large number of commands that
are case-sensitive and must be typed exactly as shown. A typo will
sabotage these instructions quite quickly. The first thing to do is
to clean up.

Type cd
/usr/src/openldap-2.0.11 and press
Enter.

Type make
veryclean and press Enter.

Start at the beginnning of this
How To document again.

If it still doesn't work

The OpenLDAP software mailing list has a
large number of knowledgeable readers who may be able to help. First,
check the archives. If your question is not answered there, post a
question and wait for a response.